Pass for Password Management

Lightweight and secure password management

1 AUG 2017
•
9 mins read

The password model is broken

Pretty much every security expert would agree that passwords are broken. They have the distinction of being difficult for legitimate users to manage, and easy for hackers to crack. Massive password leaks are a commonplace event in the modern era, which means that password re-use across multiple sites is a huge security vulnerability. Of course, remembering a unique, strong passphrase for every site you might use would be a heavy task for a mere mortal. Two-factor authentication is one solution that has been put forth to address the issue, which also imposes a higher burden on the end user, and itself can allow for other vulnerabilities, especially when delivered over SMS, despite the purpose being the strengthening of one’s security.

Password managers help, but they also make juicy targets

Several password managers have been created to address this problem. I used to use LastPass as my password manager of choice, but never felt totally comfortable with the fact that my data was stored on someone else’s server, especially given that such targets are quite juicy for hackers. Perhaps more vulnerable than external server storage, many password managers are liable to leak information through their browser extensions or mobile apps. There are browser extensions available for pass as well, though I prefer to eschew this route.

Welcome to Pass

When I heard about pass I was intrigued about migrating my data from LastPass and switching to this as a multi-platform solution. It is written for Unix, so works OOB for platforms like MacOS and Linux, but clients also exist for Windows, Android, and iOS, and there are a wide variety of open-source external tools you can use to help you manage your password store, though I haven’t found them necessary personally.

At a high level, pass stores your passwords in a directory of GPG-encypted files, optionally managed with version control via git, which allows you to sync changes across multiple devices and recover from changes you want to undo. This lightweight nature of pass allows you to use standard system utilities for managing these files how you see fit. GPG offers strong encryption, and storing your passwords in this fashion severely reduces the attack surface visible to a malicious actor.

Creating GPG keys

Option 2 relates to the key size, with more bits being more secure, but also taking longer to decrypt. 2048 bits is the current default, which is considered fairly secure for now. Debate persists around how much is gained by 4096 bit RSA keys, though they are certainly stronger than 2048 bit RSA keys. Elliptic curve cryptography is an alternative encryption scheme which has been gaining stream, but there are debates as to the strengths of some of the current implementations, and the degree to which they were designed with potential vectors for exploitation by the NSA, as well as potential limitations to come in the light of the advent of quantum computing.

Option 3 relates to the expiration time of the key, which can be changed at any time.

Option 4 specifies a name for the key, which is required, whereas the subsequent options for email and contact are optional.

I’d recommend using a strong passphrase for your key as an additional level of protection!

Install pass

Initialize your password store

Pass will store your passwords in ~/.password-store. You can initialize your password store via “pass init” as below, substituting your own GPG key id for “ABCD1234”. You can see the GPG key id from the “gpg –list-keys” command, and the value you want to use is the 8-character code after the ‘/’ for the “pub” entry corresponding to your newly created key.

Initialize your password store with “pass init”:

# Fake PGP key ID, use your own...$ pass init "ABCD1234"

Transfer exported data (if already using a password manager)

At this point, you can use one of the following scripts to export your existing data into your password store. Otherwise, it’s time to start adding some passwords to manage!

Synchronize with git

You can synchronize your password store with git via the following command:

$ pass git init

You can create a remote repository for your password store on another machine like so:

$ cd /path/to/password_store
$ git init --bare

And now you can add this repository as the remote repo on your initial machine with pass set up and set it as the upstream branch:

And now you can synchronize changes to your password store via the standard git commands! (e.g., clone, push, pull, etc.)

On machines where pass is installed you can invoke “pass git <command>” to execute the git command for your password store.

Working with pass

Every password/piece of information is stored in a directory of files, and we can use basic file manipulation commands with pass like “ls”, “mv”, “cp”, “rm”, “grep”, “find”. Conventionally, the first line of the file is the stored password that will be copied to the clipboard with the -c option. Pass supports autocompletion in most shells, though some legwork may be needed to enable it.

Examine the files in a folder

$ pass ls somefolder
somefolder
└── somesite

Not just for passwords

As alluded to before, since everything is a file, we can also use pass to store any kind of textual information. We can just invoke “pass edit <filename>” or “pass insert <filename>” to create a new entry which can be populated with whatever data you wish.

Often, you’ll want to include data like usernames or PINs along with your password. You may put the username in the filename to distinguish between different accounts for the same site. I tend to put such information in the files themselves, while designating functional differences in the filename. For example, facebook-work vs. facebook-personal.

What about mobile?

As mentioned, there are pass clients available for Android and iOS that work really well once they’re configured. There’s been no looking back since migrating away from LastPass!

I won’t fully go into setting up an Android or iOS client, but in a nutshell, you can export your GPG keys in ASCII-armored form via an animated QR code.